Why must our internet infrastructure be so fucked.

  • Nath@aussie.zoneM
    link
    fedilink
    English
    arrow-up
    3
    ·
    9 months ago

    Having been on the other end of this situation before, I’m going to disagree with this take. On a normal network, yes - you have a firewall to block traffic except to specific IPs/ports. Once you are in the Millions of nodes realm though (and I only ever got into the hundreds of thousands), a firewall is too unwieldy. You can never keep it up to date with all your customers comings and goings. Imagine you have 10 million customer devices and 0.01% of them come or go on any given day. That’s 10,000 firewall updates per day. You’re spending a lot of tech time maintaining and updating that firewall, and you introduce a small risk of an incident with every firewall update. And for what? For the most annoying of your customers.

    Sorry to be blunt, but it’s true. The tiny proportion of customers who want to be able to remotely connect to their home networks are the first to complain about any sort of network congestion (particularly uploads, which regular users don’t even notice). They make a lot of noise about every $5/month price increase. They are the most likely to be doing sketchy stuff on the network. And six months down the line when there’s some new exploit, they’re the most likely vector into the network of the latest worm as they didn’t maintain their security updates diligently. It is far easier to simply not cater to them and let them be someone else’s problem. As customers, they aren’t profitable.

    You handle this by putting your static IP customers on a special VLAN and charge them for the service. And then yes: you have a manageable firewall sample.

    • Salvo@aussie.zone
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 months ago

      As a customer that has their own UniFi Security Gateway and also ran services from home during the old BigPond Cable days, everything that Nath has said is correct.

      Back in the 90’s BigPond used to do everything possible to prevent us from running our own unmetered file sharing network. We had a set of relays and proxies which meant that we were able to share files with other BigPond users, bypassing the billing system. I am sure that the Management at BigPond Cable hated this while the Technicians (who also had BigPond Cable) enabled it.